Snort mailing list archives
Re: new SIP preproc on snort v2.9.1 never firing?
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 6 Sep 2011 19:52:30 -0400
Do you have the preprocessor rules enabled? On Tue, Sep 6, 2011 at 5:32 PM, rmkml <rmkml () yahoo fr> wrote:
Hi,
Im continue testing last snort v2.9.1, but new SIP preproc never firing.
Anyone have alert with SIP preproc ? (GID 140)
Im tested with default snort.conf:
...
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
...
Loading dynamic preprocessor library
dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
done
...
SIP config:
Max number of sessions: 10000 (Default)
Status: ENABLED
Ignore media channel: DISABLED
Max URI length: 512
Max Call ID length: 80
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 512
Max Content length: 1024 (Default)
Ports:
5060 5061 5600
Methods:
invite cancel ack bye register options refer subscribe update join info
message notify benotify do qauth sprack publish service unsubscribe prack
...
o" )~ Version 2.9.1 IPv6 GRE (Build 71)
...
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
...
Im reduced sip length but sip preproc never firing again.
Im read doc/README.sip and of course enabled udp on stream5 (default
snort.conf).
Tested with nessus,nmap,many scanner, replay traffic, sipp...
Regards
Rmkml
http://twitter.com/rmkml
------------------------------------------------------------------------------
Malware Security Report: Protecting Your Business, Customers, and the
Bottom Line. Protect your business and customers by understanding the
threat from malware and how it can impact your online business.
http://www.accelacomm.com/jaw/sfnl/114/51427462/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Malware Security Report: Protecting Your Business, Customers, and the Bottom Line. Protect your business and customers by understanding the threat from malware and how it can impact your online business. http://www.accelacomm.com/jaw/sfnl/114/51427462/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? rmkml (Sep 07)
- Re: new SIP preproc on snort v2.9.1 never firing? Alex Kirk (Sep 06)